Sunday, March 8, 2009

Windows UAC rootkit

Last week, my mother-in-law had me look at her laptop because she couldn't defrag her disk, and "Google wasn't working". I thought perhaps her google problems were related to her satellite internet, and I didn't think defragging really mattered anymore, so I thought perhaps nothing was wrong.

My gut was very wrong.

I was able to get google results, so I assumed google worked. Additionallly, her gmail came up fine in firefox and in outlook. However, her defrag didn't work. The defrag UI would start, but it wouldn't perform a defrag or analysis, so I tried googling for a diagnosis of these symptoms.

Then I discovered what my mother-in-law meant when she said "Google wasn't working."

Whenever I clicked on a google search result in firefox, I was redirected to spam sites like couponmountain.com. When I tried to navigate directly to some security sites, or microsoft update my browser would fail to connect to the site.

Unfortunately, my mother-in-law had gotten a rootkit somehow, and her AVG antivirus was unable to detect the rootkit, neither was spybot or adaware. Thankfully, the above link outlined a fix using combofix, malware removal software I'd never heard of, but it worked perfectly. I had to download the installer from another machine because the rootkit prevented me from connecting to the download site. After downloading, I changed the name of the executable so the rootkit wouldn't stop it from running. I followed all the recommendations of the combofix prompts and poof! no rootkit.